Professional Documents
Culture Documents
• Please write (clearly) your name and student ID on the top of each page.
• Make sure you have 12 pages with 5 sections of questions.
• Only pens, pencils and erasers are allowed. No other items can be present (e.g., notes, books, smartphones,
tablets, laptops ...etc.).
Question: 1 2 3 4 5 Total
Points: 15 10 9 9 9 52
Score:
Name (First, Last):
UCI ID Number:
4. Based on current knowledge, which of the following problems is NOT “difficult” to solve? A problem is
considered to be difficult to solve when there is no known efficient algorithm that solves it.
A. Given a large prime p and an integer a, finding an integer x such that a · x = 1 mod p
B. Given a large composite n, finding all prime factors of n
C. Given an integer a and a large composite n, finding an integer x such that x2 = a mod n
D. Given integers a and b and a large prime p, finding an integer x such that ax = b mod p
E. None of the above
5. Denote l as the effective key length for a block cipher E(). What is the effective key length of 4-E: C =
E(K1 , E(K2 , E(K3 , E(K4 , P ))))? Assume Ki ’s are keys, P is a plaintext and C is a ciphertext. (Hint: do not
forget about Meet-in-the-Middle attack)
A. l
B. 2 · l
C. 3 · l
D. 4 · l
E. None of the above
Page 2
Name (First, Last):
UCI ID Number:
6. Using the birthday paradox, on average, how many trials does it take (approximately) to find a collision on an
n-bit hash with ≥ 0.5 probability?
p
A. log(n)
√
B. n
√
C. 2n
D. 2n /2
E. None of the above
7. Consider the following system of two equations (congruences):
x = 12 mod 29
x = 7 mod 15
According to Chinese Remainder Theorem (CRT), which of the following is true about x?
A. x has no solution in (mod 29 · 15)
B. x has exactly one solution in (mod 29 · 15)
C. x has more than one solution in (mod 29 · 15)
D. x has four solutions in (mod 29 · 15) because there are two equations
E. None of the above
8. Suppose Alice and Bob want to establish a shared secret key by executing the Diffie-Hellman key exchange
protocol (consider the textbook version discussed in class). First, they agree to use a modulus p = 13 and a
generator g = 7. Alice then chooses a as her secret integer and sends Bob A = g a mod p = 8. Suppose Bob
chooses 3 as his secret integer and sends Alice B = g 3 = 5 mod p. What is a shared secret between Alice and
Bob?
A. 1
B. 5
C. 6
D. 12
E. None of the above
9. What is an RSA signature for a message m = 4? Assume the following RSA parameters: a private exponent
d = 17 and a composite n = 21. (Hint: Lagrange’s Theorem implies that aΦ(n) = 1 mod n when gcd(a, n) = 1.)
A. 1
B. 4
C. 16
D. 20
E. None of the above
10. Suppose a prime p = 3 mod 4 and a ∈ Zp . Which of the following is equivalent to a square root of a mod p?
A. ap−1 mod p
B. a(p+1)/4 mod p
C. a(p+1)/2 mod p
D. a(p−1)/2 mod p
E. All of the above
Page 3
Name (First, Last):
UCI ID Number:
1. Using the Cipher Feedback (CFB) mode, a Message Authentication Code (MAC) of a message m can be created
by
encrypting m using CFB mode and using the last block as MAC .
2. The AES cipher in Electronic Code Book (ECB) mode should not be used to encrypt bulk data (i.e., multiple
blocks) because
3. Φ(237) = 2*78 = 156 (Hint: 237 is a product of two primes, one of which is very small).
4. There are 6, which is {1, 2, 4, 5, 7, 8} elements in Z∗9 (Hint, Z∗n is a set of positive integers (mod n) relatively
prime to n).
5. Using ElGamal Public Key Cryptosystem, a ciphertext of a message m is: [k, c] = [br mod p, m · y r mod p].
Recall that the parameters of ElGamal Public Key Cryptosystem are: p is a large prime, b is a generator in Zp ,
Page 4
Name (First, Last):
UCI ID Number:
3 Block Cipher
Consider the “Plaintext Feedback” (PFB) mode where the encryption formula for ciphertext block Ci is:
Ci = EK (Pi ) ⊕ Ci−1 , C0 = IV and E() can be any strong block cipher, e.g., AES.
(b) (3 pts) Explain the precise consequence of the loss of ciphertext block Ci . Assume a decryptor is aware of that
loss (i.e., knows the index, i, of the lost block).
(c) (3 pts) Are there any security problems in PFB mode? If so, identify one problem and briefly justify your
answer. If not, explain why there are no problems.
Solution:
Solution:
(a) Pi = DK (Ci ⊕ Ci−1 )
Page 5
Name (First, Last):
UCI ID Number:
Solution:
Page 6
Name (First, Last):
UCI ID Number:
(a) (3 pts) Explain how an adversary can recover the secret key (i.e., x) when the signer reuses the same random
number r for two different messages. State your assumptions.
(b) (3 pts) Consider a variant of ElGamal signature scheme where m and r are swapped in the signing algorithm,
i.e., a digital signature of message m is: [k, c] = [br mod p, (r − x · k) · m−1 mod p − 1]. What is the formula
for verifying the signature [k, c] in this variant?
(c) (3 pts) Are there any security problems in the variant, described in (b)? If so, identify one and briefly justify
it. If not, explain why not. (Note that in this question, you cannot assume that the signer will reuse the same
random number r.)
(Hint: This is a digital signature scheme, so a message needs to be sent along with its signature. Or simply put,
in this scheme, a message is always visible to public and thus also to the adversary.)
Page 7
Name (First, Last):
UCI ID Number:
Solution:
Solution:
(a) Consider two signatures [k, c1 ] and [k, c2 ] for messages m1 and m2 respectively.
c1 − c2 = (m1 − x · k − m2 + x · k) · r−1 mod p − 1
(c1 − c2 ) · r = (m1 − m2 ) mod p − 1
Assume (c1 − c2 ) has an inverse in mod p − 1. r = (c1 − c2 )−1 · (m1 − m2 ) mod p − 1
Once you learn r, it is easy to find x: x = (m1 − c1 · r) · k −1 mod p − 1.
(b) k = bmc · y k mod n. This is because bmc · y k = br−x·k · y k = br · b−xk · bxk = br = k mod n.
(c) An adversary can forge a signature of any message if he knows one legitimate signature of one message. A
signature of any message m0 , given m and [k, c] is [k, c · m · m0−1 ] = [k, (r − x · k) · m0−1 ].
Page 8
Name (First, Last):
UCI ID Number:
Solution:
Page 9
Name (First, Last):
UCI ID Number:
The scheme starts by having a trusted third party (TTP) generate a large composite number n, which is a product
of two primes p and q. In addition, TTP generates a public RSA exponent e and a private RSA exponent d. TTP
publishes n and e but keeps p, q and d secret. Suppose a prover’s public identity (e.g., name or phone number) is
I. TTP then gives the prover the value B = I −d mod n, which is served as his/her secret.
The identification protocol then cosists of 4 steps and can be described as follows:
1. The prover (PRV) chooses a random number r ∈ Z∗n and computes T = re mod n. PRV then sends T to the
verifier (VRF) and keeps r secret.
Question:
Page 10
Name (First, Last):
UCI ID Number:
Solution:
Solution:
Page 11
Name (First, Last):
UCI ID Number:
Solution:
Page 12